indieauth icon indicating copy to clipboard operation
indieauth copied to clipboard

Published 20 hours ago verified publisher icon indieweb

Include Cache-Control and Pragma headers in token exchange response example

Open barnabywalters opened this issue 2 years ago • 2 comments

According to https://www.rfc-editor.org/rfc/rfc6749#section-5.1, token exchange responses MUST contain the following headers

Cache-Control: no-store
Pragma: no-cache

Consider adding these to https://indieauth.spec.indieweb.org/#example-12 to make it more likely that people implementing IndieAuth servers based purely on the IndieAuth spec include them

barnabywalters avatar Oct 23 '22 17:10 barnabywalters

good idea, definitively do that IMHO

sknebel avatar Oct 23 '22 17:10 sknebel

Looks like it might be better to reduce this to only Cache-control: no-store, as while Pragma is required for OAuth 2.0, it’s dropped in 2.1 due to its behaviour being undefined (https://github.com/Taproot/indieauth/issues/22)

barnabywalters avatar Nov 22 '22 15:11 barnabywalters